OAuth, OpenID Flaw: 7 Facts

Authentication-protocol implementation security flaws are not as serious as Heartbleed, but Facebook and other sites must be fixed, say security experts.

10 Ways To Fight Digital Theft & Fraud

(Click image for larger view and slideshow.)

The recently disclosed security flaws in some implementations of the widely used OAuth and OpenID website authentication mechanisms are serious. But they're not nearly as bad as the recently discovered Heartbleed vulnerability in OpenSSL, and they pose much less of an immediate and direct threat to people's personal information.

That's the message from numerous security researchers who have been investigating the details of security flaws in OAuth 2.0 and OpenID. Mathematics Ph.D. student Wang Jing issued a covert redirect vulnerability warning earlier this month.

"The vulnerability could lead to open redirect attacks to both clients and providers of OAuth 2.0 or OpenID," Wang said. "Almost all major OAuth 2.0 and OpenID providers are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, PayPal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc."

After Wang published his warning, some media outlets began conflating the severity of the federated identity implementation flaws he highlighted to Heartbleed. But many information security experts disagree. "This is not as big a deal as Heartbleed. It's totally different -- comparing apples to oranges," says Satnam Narang, security response manager at Symantec.

Without a doubt, however, multiple open-redirect-related problems do need to be fixed. Here are seven related facts:

1. At risk: open redirects To be clear, the flaw highlighted by Wang -- which isn't new -- doesn't exist in OAuth 2 or OpenID, but rather in how some businesses have implemented those and other standards. The primary problem pertains to the use of open redirects, which redirect HTTP requests. "There have been open redirectors for as long as there's been HTML," said John Bradley, senior technical architect with Ping Identity, "so it's not a new problem." Bradley has contributed to SAML, OpenID Connect, Information Card (IMI), and XRI, among other identity standards and is also helping develop the next version of OpenID.

Furthermore, related protections are already available. "All those protocols have known about this problem since their inception, and have various mitigations," he explained by phone.

2. Developers, sites, don't follow security recommendations Many sites and developers don't follow the security mitigations recommended by the standards. Facebook, for example, allows developers to use whitelisting to restrict the range of sites to which incoming open-redirect requests can be redirected, which would block related exploits. But Facebook made it an optional feature. "They did that, as near as I can tell, because developers are lazy," Bradley said.

Likewise, to make it easier to authenticate users, some developers append access tokens to their HTTP requests before they get sent to open redirects. This, however, makes it easy for an attacker to employ JavaScript to strip the tokens out and log on to the site as the user.

3. ESPN abuse highlights attack seriousness Wang demonstrated that precise flaw in a YouTube clip, showing how an open redirector located on the ESPN website -- which allowed users to authenticate using Facebook Connect -- could be abused. Notably, the open redirector redirected to any site specified in a URL parameter, and also passed the query string parameters to the receiving site.

"Probably the biggest security problem in what happened to ESPN was that someone who got the access tokens and replayed them at ESPN could have gotten into those accounts at ESPN," Bradley said. But because the redirector was also passing the query string, an attacker could strip it out and reuse the token. "The same token can be replayed at ESPN or the Facebook client, which lets the user get into the site as that user," he explained. "So it's not just leaking people's information,

The simple fact is that implementations for these federation standards can be improved upon. Sure identity provides can claim all they want regarding the 'option' being there to close the open redirects to third party sites, but in the end these are only 'options'. Take a step in the right direction please and close the hole please http://goo.gl/27CTddhttp://goo.gl/eOqXy5 . Public updates on what you are doing about it would be a welcome step.

Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.

An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...

A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...

An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page &quot;/ui/cbpc/login&quot; is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie &quot;sid&quot; generated by the page. The attacker will have acc...